Hey y’all
Finally got 3.5.2 running. I was under the impression that using server-first
SSL bump would still be compatible, despite all the Peek & Splice changes, but
apparently not. Hopefully someone can explain what might be going wrong here ...
Using the same SSL Bump config that we used for 3.4, we now seeing this happen:
19/Mar/2015-16:21:32 22 d4:f4:6f:71:90:e6 10.0.1.71 TCP_DENIED 200 0
CONNECT 94.31.29.230:443 - server-first - HIER_NONE/- - -
Instead of this:
19/Mar/2015-14:42:04 736 d4:f4:6f:71:90:e6 10.0.1.71 TCP_MISS 200 96913 GET
https://code.jquery.com/jquery-1.11.0.min.js - server-first
Mozilla/5.0%20(iPhone;%20CPU%20iPhone%20OS%208_2%20like%20Mac%20OS%20X)%20AppleWebKit/600.1.4%20(KHTML,%20like%20Gecko)%20Mobile/12D508
ORIGINAL_DST/94.31.29.53 application/x-javascript -
This request happens in a little splash page which is designed to test if
squid’s CA cert is installed on the client and redirect them to some
instructions if it’s not. This definitely isn’t happening for all intercepted
HTTPS requests, just this (particularly important) one and some others.
SSL Bump config:
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error deny all
sslcrtd_program /usr/bin/squid_ssl_crtd -s /path/to/squid/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
DNAT intercepting port config:
https_port 3130 intercept name=3130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/path/to/squid/proxy-cert.cer
key=/path/to/squid/proxy-key.key
Thanks!
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
